Introduction: Understanding MFA Fatigue
I've heard many people complaining about Multi-Factor Authentication (MFA) fatigue, where they are repeatedly prompted to reauthenticate using their credentials and MFA every time they open a new tab, navigate to a different portal, or access another blade, despite being signed into their work profile with synchronisation enabled in Microsoft Edge.
I'm hoping to save you hours of troubleshooting and frustration. So, if you are a victim of MFA fatigue, this is something for you.
Table of contents
Identifying the Issue
A specific scenario involves being prompted to sign in, entering your credentials, and then seeing the message: "Continue to sign in? When you sign in, we use your account to sign you in to other Microsoft apps and services. Learn more at aka.ms/sso-info”, like the one below:
If you're experiencing MFA fatigue but your prompt does not point you to aka.ms/sso-info, your issue might stem from your organisation's Conditional Access policies. These policies can control sign-in frequency, enforce reauthentication when accessing sensitive information, or trigger prompts when you're perceived as a risky user or your sign-in was flagged as risky.
Diagnosing the Problem
If your prompt points you to aka.ms/sso-info, I might have a resolution for you. Check your sign-in logs in Entra ID, and you might notice that some of your logins were interrupted or failed. The Basic Info tab will show:
Sign-in error code: 9002341
Failure reason: User is required to permit SSO.
The problem likely arose due to recent modifications to the Windows single sign-on experience.
The Root Cause: Compliance with the Digital Markets Act
Microsoft is dedicated to ensuring compliance with the Digital Markets Act (DMA) within the European Economic Area (EEA). As part of this commitment, they are altering how Windows operates to align with global regulations like the DMA. One significant change involves the sign-in process for apps on Windows.
Users in the EEA who set their Windows region to a country within the area encounter a new notice after signing into Windows. This notice appears when users access the first application or service in the latest versions of Windows 10 and Windows 11. It asks if they wish to use the same credentials for signing into the application as they did for Windows. The notice also informs them that these credentials will be used for signing into other Microsoft apps on Windows.
This notice is intended to be displayed the first time a user attempts to sign in to an app that allows sign-in with a personal Microsoft account or a work or school Entra ID, following their Windows sign-in. If the user opts to use the same credentials, the notice will not reappear.
However, the current user experience does not seem as straightforward as Microsoft has described...
Resolution: Reconnecting to Entra ID
I found that the resolution to this issue is to disconnect from your organisation's Entra ID domain in your Windows settings and reconnect it to your company's Entra ID domain. Once reconnected, sign into any of the Microsoft 365 apps or add a new profile to the Microsoft Edge browser. When prompted whether you want to sign in to all apps or "this app only," choose the option to sign in to all applications, which should remediate the problem.
=> Start > Settings > Accounts > Access work or school > Click on the account that says is connected to your organisation’s Entra ID > Disconnect
You can find a step by step guide on how to Entra ID join devices here.
Conclusion
If you've been dealing with MFA fatigue, I hope this solution saves you hours of frustration and troubleshooting. For more details about the recent changes to the Windows Single Sign-On experience, you can read more here.
Feel free to share your experiences and let me know if this solution worked for you!
Comments